October 27, 2021 16:06 · February 22, 2026 01:41 · March 21, 2023 10:31 · October 3, 2024 02:49 · November 6, 2025 16:41 · February 23, 2025 19:16
 <script>
 var PAGE_SIZE = 16384;
 var SIZEOF_CSS_FONT_FACE = 0xb8;
 var HASHMAP_BUCKET = 208;
 var STRING_OFFSET = 20;
 var SPRAY_FONTS = 0x1000;
 var GUESS_FONT = 0x200430000;
 var NPAGES = 20;
 var INVALID_POINTER = 0;
 var HAMMER_FONT_NAME = "font8"; //must take bucket 3 of 8 (counting from zero)
 #!/usr/bin/env zsh

 set -e;
 set +m; # Job control would've been nice, but manual round robin it is, sigh.

 if [ -z "${ZSH_VERSION+x}" ]; then
    echo 'Try again with zsh.';
    exit 1;
 fi;
 diff --git a/Makefile b/Makefile
 index 96e99b7..4884309 100644
 --- a/Makefile
 +++ b/Makefile
 @@ -43,6 +43,10 @@ arm64:
 	gobjcopy -O binary -j .text bin/checkm8_arm64.o bin/checkm8_arm64.bin
 	rm bin/checkm8_arm64.o
 
 +	xcrun -sdk iphoneos clang src/checkm8_nopaddingcorruption_arm64.S -target arm64-apple-darwin -Wall -o bin/checkm8_nopaddingcorruption_arm64.o
 +	gobjcopy -O binary -j .text bin/checkm8_nopaddingcorruption_arm64.o bin/checkm8_nopaddingcorruption_arm64.bin
 if [ $# != 2 ]; then
    echo "Usage: $0 /path/to/input_ipa /path/to/output_ipa"
    exit 1
 fi

 if ! [ -f $1 ]; then
    echo "'$1' does not exist"
    exit 1
 fi
 #!/usr/bin/env python
 from sys import argv, stdout
 from os import system, remove, path
 from urlparse import urlparse
 import re
 import dfu
 import ssl
 import math
 import json
 import getopt
 This bug was also called moonshine in the beginning
 Basically the following bug is present in all bootroms I have looked at:
 1. When usb is started to get an image over dfu, dfu registers an interface to handle all the commands and allocates a buffer for input and output
 2. if you send data to dfu the setup packet is handled by the main code which then calls out to the interface code
 3. the interface code verifies that wLength is shorter than the input output buffer length and if that's the case it updates a pointer passed as an argument with a pointer to the input output buffer
 4. it then returns wLength which is the length it wants to recieve into the buffer
 5. the usb main code then updates a global var with the length and gets ready to recieve the data packages
 6. if a data package is recieved it gets written to the input output buffer via the pointer which was passed as an argument and another global variable is used to keep track of how many bytes were recieved already
 7. if all the data was recieved th
 ; /usr/local/bin/nasm -f macho 32.asm && ld -macosx_version_min 10.7.0 -o 32 32.o && ./32

 global start

 section .text
 start:
    push    dword msg.len
    push    dword msg
    push    dword 1
    mov     eax, 4
	<script>
	var PAGE_SIZE = 16384;
	var SIZEOF_CSS_FONT_FACE = 0xb8;
	var HASHMAP_BUCKET = 208;
	var STRING_OFFSET = 20;
	var SPRAY_FONTS = 0x1000;
	var GUESS_FONT = 0x200430000;
	var NPAGES = 20;
	var INVALID_POINTER = 0;
	var HAMMER_FONT_NAME = "font8"; //must take bucket 3 of 8 (counting from zero)
	#!/usr/bin/env zsh

	set -e;
	set +m; # Job control would've been nice, but manual round robin it is, sigh.

	if [ -z "${ZSH_VERSION+x}" ]; then
	echo 'Try again with zsh.';
	exit 1;
	fi;
	diff --git a/Makefile b/Makefile
	index 96e99b7..4884309 100644
	--- a/Makefile
	+++ b/Makefile
	@@ -43,6 +43,10 @@ arm64:
	gobjcopy -O binary -j .text bin/checkm8_arm64.o bin/checkm8_arm64.bin
	rm bin/checkm8_arm64.o

	+ xcrun -sdk iphoneos clang src/checkm8_nopaddingcorruption_arm64.S -target arm64-apple-darwin -Wall -o bin/checkm8_nopaddingcorruption_arm64.o
	+ gobjcopy -O binary -j .text bin/checkm8_nopaddingcorruption_arm64.o bin/checkm8_nopaddingcorruption_arm64.bin
	if [ $# != 2 ]; then
	echo "Usage: $0 /path/to/input_ipa /path/to/output_ipa"
	exit 1
	fi

	if ! [ -f $1 ]; then
	echo "'$1' does not exist"
	exit 1
	fi
	#!/usr/bin/env python
	from sys import argv, stdout
	from os import system, remove, path
	from urlparse import urlparse
	import re
	import dfu
	import ssl
	import math
	import json
	import getopt
	This bug was also called moonshine in the beginning
	Basically the following bug is present in all bootroms I have looked at:
	1. When usb is started to get an image over dfu, dfu registers an interface to handle all the commands and allocates a buffer for input and output
	2. if you send data to dfu the setup packet is handled by the main code which then calls out to the interface code
	3. the interface code verifies that wLength is shorter than the input output buffer length and if that's the case it updates a pointer passed as an argument with a pointer to the input output buffer
	4. it then returns wLength which is the length it wants to recieve into the buffer
	5. the usb main code then updates a global var with the length and gets ready to recieve the data packages
	6. if a data package is recieved it gets written to the input output buffer via the pointer which was passed as an argument and another global variable is used to keep track of how many bytes were recieved already
	7. if all the data was recieved th
	; /usr/local/bin/nasm -f macho 32.asm && ld -macosx_version_min 10.7.0 -o 32 32.o && ./32

	global start

	section .text
	start:
	push dword msg.len
	push dword msg
	push dword 1
	mov eax, 4